HSM and Vault APIs

Scenario: Embedded devices to cloud platform communication.

There is a set of secure bytes that I want to encrypt with the “custom” key that is different for every device. This is a scaling and operations challenge as we don’t want to build anything device specific into the cloud platform. Each device has a unique asymmetric key pair because of mTLS. So, if we put these secure bytes in a HSM/Vault so that not even we know them, and then when each device needs to retrieve that data securely, we provide the public key of the device to the HSM/Vault and it then encrypts the secure bytes using that key. We then provide the cipher-text back to the device that has the corresponding private key to decrypt and get access to the secure bytes.

Does Vault or any other HashiCorp products provide an API for such functionality? If so, can you please direct me to the relevant documentation?